Impact of Log4j Vulnerability for the Rock Community

For those worried about the newly reported Log4j vulnerability there is little to fear as far as Rock is concerned. The Log4j library is a Java library and Rock is entirely C#. We use an alternative library for logging called Serilog.

For churches using Elasticsearch as a universal search provider (we only know of a handful) there may be a possibility for exposure. The server running Elasticsearch runs on a separate server than the Rock server. While the latest version of Elasticsearch is not vulnerable to the exploit , there is no mention of the version of Elasticsearch supported by Rock (v2.x) in their article. Because of this Spark would highly recommend that the ElasticSearch server be behind a firewall (this is a best-practice) until there is an official statement from Elasticsearch.